On Wed, 18 Jan 2006, John Summerfied wrote: > Dave Jones wrote: > > On Tue, Jan 17, 2006 at 12:14:58PM -0500, Adam Gibson wrote: > > > http://arstechnica.com/news.ars/post/20060113-5975.html > > > > > > From all the reading I have done it seems that configuration would be > > > much easier for most system admins. A utility can learn what access is > > > needed by monitoring the app so that you don't have to know all the > > > details of what the app touches to get it working for new apps. > > > > For one thing it needs kernel patches that aren't upstream, which makes > > it unlikely. Given it duplicates a subset of SELinux functionality, > > it seems somewhat pointless to divide our efforts on two solutions > > to the same problem instead of improving the one that upstream has > > already chosen. > > If Red Hatters are monitoring the opposition, they will already know > about AppArmour. Furthermore, it does a number of things differently than SELinux. It does not just "duplicate a subset of SELinux functionality". It does not have the problem of requiring a tagged filesystem like SELinux does. It allows you to contain processes in a "chrootless chroot". It specifies what a process can touch on the filesystem and how on a per application basis. I am not certain if the two can be merged or not. I have not tested the latest kernel patches against an SELinux enabled kernel. I am planning on doing it for my own use. The current Rawhide kernel is giving me fits though. (The nvidia driver no longer builds.) -- "George W. Bush -- Bringing back the Sixties one Nixon at a time."
